github.com/teknogeek/dnscontrol/v2@v2.10.1-0.20200227202244-ae299b55ba42/docs/_providers/route53.md

github.com/teknogeek/dnscontrol/v2@v2.10.1-0.20200227202244-ae299b55ba42/docs/_providers/route53.md (about)

     1  ---
     2  name: Route 53
     3  layout: default
     4  jsId: ROUTE53
     5  ---
     6  # Amazon Route 53 Provider
     7  
     8  ## Configuration
     9  You can specify the API credentials in the credentials json file:
    10  
    11  {% highlight json %}
    12  {
    13      "r53_main": {
    14          "KeyId": "your-aws-key",
    15          "SecretKey": "your-aws-secret-key",
    16          "Token": "optional-sts-token",
    17          "DelegationSet" : "optional-delegation-set-id"
    18      }
    19  }
    20  {% endhighlight %}
    21  
    22  You can also use environment variables, but this is discouraged, unless your environment provides them already.
    23  
    24  ```
    25  $ export AWS_ACCESS_KEY_ID=XXXXXXXXX
    26  $ export AWS_SECRET_ACCESS_KEY=YYYYYYYYY
    27  $ export AWS_SESSION_TOKEN=ZZZZZZZZ
    28  ```
    29  
    30  {% highlight json %}
    31  {
    32      "r53_main": {
    33          "KeyId": "$AWS_ACCESS_KEY_ID",
    34          "SecretKey": "$AWS_SECRET_ACCESS_KEY"
    35      }
    36  }
    37  {% endhighlight %}
    38  
    39  Alternatively if you want to used [named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) you need to export the following variables
    40  
    41  ```
    42  $ export AWS_SDK_LOAD_CONFIG=1
    43  $ export AWS_PROFILE=ZZZZZZZZ
    44  ```
    45  
    46  You can find some other ways to authenticate to Route53 in the [go sdk configuration](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html).
    47  
    48  ## Metadata
    49  This provider does not recognize any special metadata fields unique to route 53.
    50  
    51  ## Usage
    52  Example Javascript:
    53  
    54  {% highlight js %}
    55  var REG_NONE = NewRegistrar('none', 'NONE');
    56  var R53 = NewDnsProvider('r53_main', 'ROUTE53');
    57  
    58  D('example.tld', REG_NONE, DnsProvider(R53),
    59      A('test','1.2.3.4')
    60  );
    61  {% endhighlight %}
    62  
    63  ## Activation
    64  DNSControl depends on a standard [AWS access key](https://aws.amazon.com/developers/access-keys/) with permission to list, create and update hosted zones. If you do not have the permissions required you will receive the following error message `Check your credentials, your not authorized to perform actions on Route 53 AWS Service`.
    65  
    66  You can apply the `AmazonRoute53FullAccess` policy however this includes access to many other areas of AWS. The minimum permissions required are as follows:
    67  
    68  {% highlight json %}
    69  {
    70      "Version": "2012-10-17",
    71      "Statement": [
    72          {
    73              "Effect": "Allow",
    74              "Action": [
    75                  "route53:CreateHostedZone",
    76                  "route53:GetHostedZone",
    77                  "route53:ListHostedZones",
    78                  "route53:ChangeResourceRecordSets",
    79                  "route53:ListResourceRecordSets",
    80                  "route53:UpdateHostedZoneComment"
    81              ],
    82              "Resource": "*"
    83          }
    84      ]
    85  }
    86  {% endhighlight %}
    87  
    88  If Route53 is also your registrar, you will need `route53domains:UpdateDomainNameservers` and `route53domains:GetDomainDetail` as well and possibly others.
    89  
    90  ## New domains
    91  If a domain does not exist in your Route53 account, DNSControl will *not* automatically add it with the `push` command. You can do that either manually via the control panel, or via the command `dnscontrol create-domains` command.
    92  
    93  ## Delegation Sets
    94  Creation of new delegation sets are not supported by this code. However, if you have a delegation set already created, ala:
    95  
    96  ```
    97  $ aws route53 create-reusable-delegation-set --caller-reference "foo"
    98  {
    99      "Location": "https://route53.amazonaws.com/2013-04-01/delegationset/12312312123",
   100      "DelegationSet": {
   101          "Id": "/delegationset/12312312123",
   102          "CallerReference": "foo",
   103          "NameServers": [
   104              "ns-1056.awsdns-04.org",
   105              "ns-215.awsdns-26.com",
   106              "ns-1686.awsdns-18.co.uk",
   107              "ns-970.awsdns-57.net"
   108          ]
   109      }
   110  }
   111  ```
   112  
   113  You can then reference the DelegationSet.Id in your `r53_main` block (with your other credentials) to have all created domains placed in that
   114  delegation set.  Note that you you only want the portion of the `Id` after the `/delegationset/` (the `12312312123` in the example above).
   115  
   116  > Delegation sets only apply during `create-domains` at the moment. Further work needs to be done to have them apply during `push`.
   117  
   118  ## Caveats
   119  This code may not function properly if a domain has R53 as a Registrar
   120  but not as a DnsProvider.  The situation is described in
   121  [PR#155](https://github.com/StackExchange/dnscontrol/pull/155).
   122  
   123  In this situation you will see a message like:
   124  
   125  ```
   126  ----- Registrar: r53_main
   127  Error getting corrections: AccessDeniedException: User: arn:aws:iam::868399730840:user/dnscontrol is not authorized to perform: route53domains:GetDomainDetail
   128    status code: 400, request id: 48b534a1-7902-11e7-afa6-a3fffd2ce139
   129  Done. 1 corrections.
   130  ```
   131  
   132  If this happens to you, we'd appreciate it if you could help us fix the code. In the meanwhile, you can give the account additional IAM permissions so that it can do DNS-related actions, or simply use `NewRegistrar(..., 'NONE')` for now.
   133  
   134  ## Error messages
   135  
   136  ### Creds key mismatch
   137  
   138  ```
   139  $ dnscontrol preview
   140  Creating r53 dns provider: NoCredentialProviders: no valid providers in chain. Deprecated.
   141  	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
   142  ```
   143  
   144  This means that the creds.json entry isn't found. Either there is no entry, or the entry name doesn't match the first parameter in the `NewDnsProvider()` call. In the above example, note
   145  that the string `r53_main` is specified in `NewDnsProvider('r53_main', 'ROUTE53')` and that is the exact key used in the creds file above.
   146  
   147  ### Invalid KeyId
   148  
   149  ```
   150  $ dnscontrol preview
   151  Creating r53_main dns provider: InvalidClientTokenId: The security token included in the request is invalid.
   152  	status code: 403, request id: 8c006a24-e7df-11e7-9162-01963394e1df
   153  ```
   154  
   155  This means the KeyId is unknown to AWS.
   156  
   157  ### Invalid SecretKey
   158  
   159  ```
   160  $ dnscontrol preview
   161  Creating r53_main dns provider: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
   162  	status code: 403, request id: 9171d89a-e7df-11e7-8586-cbea3ea4e710
   163  ```
   164  
   165  This means the SecretKey is incorrect. It may be a quoting issue.
   166  
   167  ### Incomplete Signature
   168  
   169  ```
   170  $  ./dnscontrol preview
   171  IncompleteSignature: 'ABCDEFGHIJKLMNOPQRST/20200118/us-east-1/route53/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential= ABCDEFGHIJKLMNOPQRST/20200118/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=571c0b13205669a338f0fb9f351dc03c7016c8737c738081bc885c68378ad877'.
   172          status code: 403, request id: 12a34b5c-d678-9e01-f2gh-3456i7jk89lm
   173  ```
   174  
   175  This means a space is present in one or more of the credential values.